fix: Integrate semantic-release with build process

The version is driven by semantic-release.
In order to use it in the package (both exported to NPM
and as header metadata in the signature), we build the
package in the `postversion` step of NPM scripts.

- The CD no longer needs its own build step
- Version is read from package.json (when updated)

However, in order for the package to export its version as
as standalone string (rather than runtime reading of wrong
environment variables or whatnot), a pre-build script is
used to generate the version tag, also containing the short
Git SHA-1 (see `generateVersion.ts`).

Author: franky47

.github/workflows/cd.yml

@@ -26,8 +26,6 @@ jobs:
             ${{ runner.os }}-yarn-
       - run: yarn install --ignore-scripts
         name: Install dependencies
-      - run: yarn build
-        name: Build bundle
 
       # Continuous Delivery Pipeline --
 
@@ -37,16 +35,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - run: ./node_modules/.bin/ts-node ./scripts/generateVersion.ts
-        if: steps.semantic.outputs.new-release-published == 'true'
-        name: Generate version file
-      - run: yarn build
-        if: steps.semantic.outputs.new-release-published == 'true'
-        name: Re-build bundle with version info
-      - run: yarn sign
-        if: steps.semantic.outputs.new-release-published == 'true'
-        name: Sign bundle
-        env:
           SIGNATURE_SECRET_KEY: ${{ secrets.SIGNATURE_SECRET_KEY }}
       - uses: dswistowski/surge-sh-action@341bcbd
         name: Deploy to Surge

.github/workflows/ci.yml

@@ -32,6 +32,8 @@ jobs:
         name: Install dependencies
       - run: yarn ci
         name: Run integration tests
+        env:
+          SIGNATURE_SECRET_KEY: ${{ secrets.SIGNATURE_SECRET_KEY }}
       # - uses: coverallsapp/github-action@832e70b
       #   name: Report code coverage
       #   with:

.npmignore

@@ -11,3 +11,6 @@ lib/main.*
 .dependabot/
 scripts/
 coverage/
+
+# Generated at build time
+./src/version.ts

package.json

@@ -25,13 +25,14 @@
     "test": "jest --coverage",
     "test:watch": "jest --watch",
     "build:clean": "rm -rf ./dist ./lib ./coverage",
+    "build:version": "ts-node ./scripts/generateVersion.ts",
     "build:ts": "tsc",
     "build:bundle": "parcel build ./src/main.ts --out-file analytics.js --detailed-report 20 --experimental-scope-hoisting",
     "build:cors": "echo '*' > ./dist/CORS",
-    "build": "run-s build:clean build:ts build:bundle build:cors",
-    "gen:version": "ts-node ./scripts/generateVersion.ts",
-    "sign": "ts-node ./scripts/sign.ts",
-    "ci": "run-s build"
+    "build:sign": "ts-node ./scripts/sign.ts",
+    "build": "run-s build:clean build:version build:ts build:bundle build:sign build:cors",
+    "ci": "run-s build",
+    "postversion": "run-s build"
   },
   "dependencies": {
     "@chiffre/analytics-core": "^1.0.1",
@@ -47,6 +48,7 @@
     "jest": "^25.1.0",
     "npm-run-all": "^4.1.5",
     "parcel-bundler": "^1.12.4",
+    "semantic-release": "^17.0.4",
     "ts-jest": "^25.2.1",
     "ts-node": "^8.6.2",
     "typescript": "^3.8.3"

scripts/generateVersion.ts

@@ -2,7 +2,7 @@ import fs from 'fs'
 import path from 'path'
 
 export function generateVersion() {
-  const version = process.env.RELEASE_VERSION || '0.0.0'
+  const version = process.env.npm_package_version || '0.0.0'
   const gitSha1 = (process.env.GITHUB_SHA || 'local').slice(0, 8)
   const tag = `${version}-${gitSha1}`
   const body = `export const version = '${tag}'`

scripts/sign.ts

@@ -4,13 +4,17 @@ import crypto from 'crypto'
 import { b64, utf8 } from '@47ng/codec'
 import { parseSecretKey, signUtf8String } from '@chiffre/crypto-sign'
 
-function hashFile(filePath: string) {
-  const contents = fs.readFileSync(filePath)
+function sha256(text: string | Buffer) {
   const hash = crypto.createHash('sha256')
-  hash.update(contents)
+  hash.update(text)
   return `sha256:${b64.encode(hash.digest())}`
 }
 
+function hashFile(filePath: string) {
+  const contents = fs.readFileSync(filePath)
+  return sha256(contents)
+}
+
 export interface Metadata {
   version: string
   gitSha1: string
@@ -33,7 +37,8 @@ export function generateHeader(
     fileHash: hash
   }
   const json = JSON.stringify(header)
-  const signature = signUtf8String(json, sk)
+  const jsonHash = sha256(json)
+  const signature = signUtf8String(jsonHash, sk)
   return `/*chiffre:sig ${signature}*/\n/*chiffre:header ${json}*/\n`
 }
 
@@ -44,7 +49,7 @@ export function run() {
     return // Already signed
   }
   const meta: Metadata = {
-    version: process.env.RELEASE_VERSION || '0.0.0',
+    version: process.env.npm_package_version || '0.0.0-local',
     gitSha1: process.env.GITHUB_SHA || 'local',
     buildUrl: `https://github.com/chiffre-io/analytics-tracker/actions/runs/${process.env.GITHUB_RUN_ID}`
   }

src/version.ts

@@ -1 +1 @@
-export const version = '0.0.0-local'
+export const version = '0.0.0-semantically-released-local'